RECEIVED 

FEB. 26. 2007 5:19PM 5106630920 CENTRAL PAX CENTER jgj p. 4 

FEB 2 6 2007 

IN THF fXAIMS 

Please enter the following amendments to ihe claims. The amendments are believed to 
introduce no new matter. 

1. (Withdrawn) A method for authenticating network entities in a fibre channel 

network, the method comprising: 

receiving a fibre channel authentication message from a first network entity at a second 
network entity in a fibre channel network, wherein the authentication message provides 
information for authenticating or reauthenticating the first network entity in the fibre channel 

network; . 

detenmning that both the first network entity and the second network entity support 

security; , 

verifying that the first network entity corresponds to an entry in an authentication table 

associated with the second network entity; 

receiving first network entity verification information that confirms Ihe identify of the 

first network entity. . , • . 

2 (Withdrawn) The method of claim 1, further comprising generating a session key at 
the second network entity, wherein the session key is generated using public informal 
associated with the first network entity and a random parameter. 

3 (Withdrawn) The methodof claim 1, further comprising: 

exchanging security association parameters such as the SPI and the algorithm identifier. 

4. (Withdrawn) The method of claim 1, wherein the authentication message is 

associated with a request for a fabric login- 

5 (Withdrawn) The method of claim 1, wherein determining that both the first and 
second network entities support security comprises identifying a security enable parameter m 
lie initialization message. 

6. (Withdrawn) The method of claim 1 further comprising determining which 
authentication and key exchange protocol are supported by the two entities. 

7 (Withdrawn) The method of claim 2, wherein the public information associated wrfh 
the first network entity is provided to the second network entity by the first network entity. 

8 (Withdrawn) The method of claim 2, wherein the session key generated at the 
second network entity is also generated at the first network entity using public information 
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associated with the second network entity and a random parameter provided hy the second 
network entity. 

9. (Withdrawn) The method of claim 8, wherein the public information associated with 
the second network entity is provided to the first network entity by the second network entity. 

10, (Withdrawn) The method of claim 8, wherein first network entity verification 
information is generated at the first network entity using public information associated with the 
first and second network entities and ihe session key. 

U. (Withdrawn) The method of claim 10, further comprising verifying that the first 
network entity verification information received corresponds to verification information 
generated at the second network entity using public information associated with Ihe first and 
second network entities and the session key. 

12. (Withdrawn) The method of claim 11, further comprising transmitting second 
network entity verification information to the first network entity, wherein the second network 
entity verification information is generated at the second network entity using pubhc 
information associated with the first network entity, the first network entity verified 

information, and the session key. 

13 (Withdrawn) The method of claim 12, wherein the second network entity 
verification information transmitted corresponds to second network entity verification 
information generated at the first network entity using public information associated with the 
first network entity, the first network entity verification information, and the sessron key. 

14. (Withdrawn) The method of claim 8, wherein the second network entity is a 

storage device in a storage area network. 

15. (Withdrawn) The method of claim 8, wherein the first and second network entities 

are domain controllers in a storage area network. 

16. (Wimdmwn) The method of cto^^ 

are switches, 

17. (Withdrawn) The method of claim 8, wherein the first network entity is a host 

18. (Withdrawn) The method of claim 17, wherein 1he second network entity is a 
storage device. 

19. (Withdrawn) The method of claim 8, wherein the authentication message is a fibre 
channel authentication message. 

20. (Withdrawn) The method of claim 19, wherein the authentication message is a 

login message. 
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21. (Withdraw) The method of claim 20, wherein the authentication message is a 

PLOGI or FLOGI message. 

22. (Withdrawn) The method of claim 8, further comprising: 

storing security association information associated with the first network entity. 
23 (Withdrawn) The method of claim 8, further comprising: 
transporting security association information in the messages exchanged between the two 

network entities . . , ^ 

24. (Withdrawn) The method of claim 22, wherein security associate mformanon 

comprises an identifier associated with the first network entity and the session key. 

25 (Withdrawn) The method of claim 24, wherein security association information 
fo^er comprises an encryption algorithm identifier and an authentication algorithm identifier. 

26. (Currently Amended) A method for processing frames in a fibre channel network 
having a first network entity and a second network entity, the method comprising: 

receiving a frame at a first network entity from the second network entity in a fibre 

channel network; 

identifying a security control indicator in the frame from the second network enuty; 
deterxnining that a security association identifier associated with the frame corresponds 

to an entry in a security database; 

decrypting ^first portion of the frame by using algorithm infonnat.cn contamed m 

me entry in the security database. 

27 (Original) Tie method of olaim 26, hereto *e eony in the seeu^y database W as 
^ afte, a fibre channel network antotieanon seouenee between *, first and second 

network entities* M 

28. (Original) The method of claim 27, wherein the first portion is decrypted usmg a 

key contained in the entry in the security database. 

29. (Original) The method of claim 27, wherein the first portion is encrypted usmg 

DES, 3DES or AES. 

30. (Original) The method of claim 27, further comprising: 
cognizing that a second portion of the frame supports authentication; 

using algorithm information contained in the entry in the security database to 
authenticate the second portion of the frame. 

31. (Original) The method of claim 30, wherein the second portion is authenticated 

using MD5 orSHAl. 
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32. (Original) The method of claim 30, wherein the authentication sequence is a fibre 
channel login sequence between the first and second network entities. 

33. (Original) The method of claim 32, wherein the login sequence is a PLOGI or 
FLOGI sequence. 

34. (Original) The method of claim 32, wherein the first and second network entrt.es 
are domain controllers and the authentication sequence is a FC-CT sequence. 

35. (Original) The method of claim 32, wherein the first and second network entmes 
are domain controllers and the authentication sequence is a SW_ILS sequence. 

36 (Previously Presented) A method for transmitting encrypted frames in a fibre 
channel network having a first network entity and a second network entity, the method 

comprising: . 
identifying a fibre channel frame having a source corresponding to the first network 

entity and a destination corresponding to the second network entity; 

determining if the fibre channel frame corresponds to the selectors of an entry m a 

security database; . 

encrypting a first portion of the fibre channel frame using key and algorithm 

information associated with the entry in the security database; 

providing a security control indicator in the fibre channel frame, wherein the secunty 
control indicator specifies that the fibre channel frame is encrypted; 

transmitting the fibre channel frame to the second network entity. 

37 (Original) The method of claim 36, wherein the entry in the security database was 
created after a fibre channel network authentication sequence between the first and second 
network entities. 

38. (Original) The method of claim 36, wherein the payload is encapsulated using the 
Authentication Header protocol or the Encapsulating Security Payload protocol. 

39. (Original) The method of claim 38, further comprising adding security information 

to the header of the fibre channel frame. 

40. (Original) The method of claim 37, wherein a first portion of the fibre channel 

fiame is encrypted using DES, 3DES, or AES. 

41. (Original) The method of claim 37, wherein parameters in the header are 
normalized prior to encrypting the first portion of the fibre channel frame. 

42. (Original) The method of claim 41, wherein the payload is padded prior to 
encrypting the first portion of the fibre channel frame. 

43. (Original) The method of claim 37, further comprising: 
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computing authentication data using key and algorithm information as well as a second 
portion of the fibre channel frame. 

44. (Original) The method of claim 43, wherein authentication data is computed using 

IADS or SHA1. 

45. (Original) The method of claim 43, wherein the authentication sequence is a fibre 
channel login sequence between the first and second network entities. 

46. (Original) The method of claim 45, wherein the login sequence is a PLOGI or 
FLOGI sequence. 

47. (Original) The method of claim 45, wherein the first and second network entities 
are domain controllers and the authentication sequence is a FC-CT sequence or an SWJLS 
message. 

48. (Previously Presented) An apparatus for transmitting encrypted frames in a fibre 
channel network having a first network entity and a second network entity, the apparatus 
comprising: 

means for identifying a fibre channel frame having a source corresponding to the first 
network entity and a destination corresponding to the second network entity; 

means for determining if the fibre channel frame corresponds to the selectors of an 

entry in a security database; 

means for encrypting a first portion of the fibre channel frame using key and algorithm 

information associated with the entry in the security database; 

means for providing a security control indicator in the fibre channel frame, wherein the 
security control indicator specifies that the fibre channel frame is encrypted; 

means for transmitting the fibre channel frame to the second network entity. 

49. (Original) The apparatus of claim 48, wherein the entry in the security database 
was created after a fibre channel network authentication sequence between the first and second 
network entities. 

50. (Original) An apparatus for receiving encrypted frames in a fibre channel network 
having a first network entity and a second network entity, the apparatus comprising: 

means for identifying that the frame has been secured 

means to lookup the security parameters in a security database that allow the de- 
encapsulation of the frame 

means to decrypt the eventually encrypted frame 

means to verify that the message has been sent by the sender, and that has not been 
tampered during its transmission . 
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